Jump to content

Help with Scorpion Saver - Ran Scans


Recommended Posts

Hello,

 

I'm one of the many people who have gotten infected with the dreaded Scorpion Saver. Here are the steps I have taken thus far:

 

1) Uninstalled it through Control Panel

2) Ran Malwarebytes Anti-Malware

3) Ran AdwCleaner

4) Ran FRST

5) Ran SystemLook

 

Attached are the relevant txt files. The malware is still in my system. Any help in removing it completely would be greatly appreciated.

 

Thank you!

mbam-log-2013-12-05 (22-26-35).txt

AdwCleanerS0.txt_After.txt

FRST.txt

Addition.txt

SystemLook.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

 

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe 

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Reg :Reg
     
    :Reg[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}][-HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\049970F0][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinSock2\Parameters\AppId_Catalog\049970F0][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\AppId_Catalog\049970F0][-HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Scorpion Saver][-HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Scorpion Saver][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9DC8FA51-B596-4f77-802C-5B295919C205}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{9DC8FA51-B596-4f77-802C-5B295919C205}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{9DC8FA51-B596-4f77-802C-5B295919C205}][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AdpeakProxy][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\049970F0][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\AdpeakProxy][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinSock2\Parameters\AppId_Catalog\049970F0][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AdpeakProxy][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\AppId_Catalog\049970F0]:FilesC:\Program Files\ScorpionSaver ServicesC:\Users\Elisa\AppData\Local\Temp\AdpeakProxyr.logC:\Users\Elisa\AppData\Local\Temp\AdpeakRegisterLSP.ini.logC:\Windows\System32\AdpeakProxy64.dllC:\Windows\SysWOW64\AdpeakProxy.dllC:\Windows\Temp\AdpeakProxy.logC:\Windows\Temp\AdpeakProxyr.log:Commands[EmptyTemp]
     
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs

 

Kevin

 

 

 

fixlist.txt

Link to post
Share on other sites

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

 

Finally,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Post those logs, also let me know if there are any remaining issues or concerns..

 

Kevin....

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.